Policies define desired state and evidence as structured data, not scripts. They’re compiled into constrained contracts that execution engines must follow, producing attestations instead of free-form output.
The contract model limits what execution can do, preventing policy logic from turning into ad-hoc tooling, while allowing the same policy to run across different environments and backends.
ESP focuses on portable intent, constrained execution, and verifiable outcomes — not embedding policy into tools.
scanset•1mo ago
ESP treats policy as data and compiles it into constrained contracts. Those contracts can be mapped to external frameworks (NIST 800-53/171, CIS, MITRE ATT&CK, etc.) without embedding framework logic into execution. The mapping lives at the policy layer; execution stays generic.
Its strength is in Zero Trust–style architectures: policies define what state is allowed, execution verifies it continuously, and evidence is emitted as attestations rather than one-off reports. That makes it easier to reason about drift, enforcement, and trust boundaries over time.
It’s not a scanner replacement by itself — it’s a substrate for expressing and enforcing policy intent consistently across environments.